Total
504 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-7729 | 1 Ismartalarm | 2 Cubeone, Cubeone Firmware | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| On iSmartAlarm cube devices, there is Incorrect Access Control because a "new key" is transmitted in cleartext. | |||||
| CVE-2017-3218 | 1 Samsung | 1 Magician | 2025-04-20 | 8.3 HIGH | 8.8 HIGH |
| Samsung Magician 5.0 fails to validate TLS certificates for HTTPS software update traffic. Prior to version 5.0, Samsung Magician uses HTTP for software updates. | |||||
| CVE-2017-6297 | 1 Mikrotik | 1 Routeros | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| The L2TP Client in MikroTik RouterOS versions 6.83.3 and 6.37.4 does not enable IPsec encryption after a reboot, which allows man-in-the-middle attackers to view transmitted data unencrypted and gain access to networks on the L2TP server by monitoring the packets for the transmitted data and obtaining the L2TP secret. | |||||
| CVE-2022-38658 | 2 Hcltech, Microsoft | 2 Bigfix Server Automation, Windows | 2025-04-15 | N/A | 7.7 HIGH |
| BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. Operators who use Notification Service related content from BES Support are at risk of leaving their SMTP sensitive data exposed. | |||||
| CVE-2021-4239 | 1 Noiseprotocol | 1 Noise | 2025-04-14 | N/A | 7.5 HIGH |
| The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce. In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages. | |||||
| CVE-2007-4961 | 1 Lindenlab | 1 Second Life | 2025-04-09 | 4.3 MEDIUM | 7.5 HIGH |
| The login_to_simulator method in Linden Lab Second Life, as used by the secondlife:// protocol handler and possibly other Second Life login mechanisms, sends an MD5 hash in cleartext in the passwd field, which allows remote attackers to login to an account by sniffing the network and then sending this hash to a Second Life authentication server. | |||||
| CVE-2024-23444 | 1 Elastic | 1 Elasticsearch | 2025-04-04 | N/A | 4.9 MEDIUM |
| It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation. | |||||
| CVE-2025-29314 | 2025-03-27 | N/A | 8.1 HIGH | ||
| Insecure Shiro cookie configurations in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allow attackers to access sensitive information via a man-in-the-middle attack. | |||||
| CVE-2022-47715 | 1 Lastyard | 1 Last Yard | 2025-03-27 | N/A | 5.3 MEDIUM |
| In Last Yard 22.09.8-1, the cookie can be stolen via via unencrypted traffic. | |||||
| CVE-2025-1243 | 2025-02-12 | N/A | N/A | ||
| The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted inĀ information contained within the `update response` field not having Data Converter transformations (e.g. encryption) applied. This is an issue only when using the UpdateWorkflowExecution APIs (released on 13th January 2025) with a proxy leveraging the api-go library before version 1.44.1. Other data fields were correctly sent to Data Converter. This issue does not impact the Data Converter server. Data was encrypted in transit. Temporal Cloud services are not impacted. | |||||
| CVE-2023-30523 | 1 Jenkins | 1 Report Portal | 2025-02-07 | N/A | 4.3 MEDIUM |
| Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2023-22948 | 1 Tigergraph | 1 Tigergraph | 2025-02-07 | N/A | 4.9 MEDIUM |
| An issue was discovered in TigerGraph Enterprise Free Edition 3.x. There is unsecured read access to an SSH private key. Any code that runs as the tigergraph user is able to read the SSH private key. With this, an attacker is granted password-less SSH access to all machines in the TigerGraph cluster. | |||||
| CVE-2024-38302 | 1 Dell | 1 Data Lakehouse | 2025-02-04 | N/A | 6.8 MEDIUM |
| Dell Data Lakehouse, version(s) 1.0.0.0, contain(s) a Missing Encryption of Sensitive Data vulnerability in the DDAE (Starburst). A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure. | |||||
| CVE-2024-40620 | 1 Rockwellautomation | 1 Pavilion8 | 2025-01-31 | N/A | 7.5 HIGH |
| CVE-2024-40620 IMPACT A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality. | |||||
| CVE-2023-21404 | 1 Axis | 1 Axis Os | 2025-01-29 | N/A | 5.3 MEDIUM |
| AXIS OS 11.0.X - 11.3.x use a static RSA key in legacy LUA-components to protect Axis-specific source code. The static RSA key is not used in any other secure communication nor can it be used to compromise the device or any customer data. | |||||
| CVE-2023-32290 | 1 Vk.company | 1 Mymail | 2025-01-29 | N/A | 7.5 HIGH |
| The myMail app through 14.30 for iOS sends cleartext credentials in a situation where STARTTLS is expected by a server. | |||||
| CVE-2023-35888 | 1 Ibm | 1 Security Verify Governance | 2025-01-27 | N/A | 5.9 MEDIUM |
| IBM Security Verify Governance 10.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 258375. | |||||
| CVE-2023-32982 | 1 Jenkins | 1 Ansible | 2025-01-23 | N/A | 4.3 MEDIUM |
| Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2020-27650 | 1 Synology | 3 Diskstation Manager, Skynas, Skynas Firmware | 2025-01-14 | 4.3 MEDIUM | 5.8 MEDIUM |
| Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. | |||||
| CVE-2024-7142 | 2025-01-10 | N/A | 4.6 MEDIUM | ||
| On Arista CloudVision Appliance (CVA) affected releases running on appliances that support hardware disk encryption (DCA-350E-CV only), the disk encryption might not be successfully performed. This results in the disks remaining unsecured and data on them | |||||